New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 663549 link

Starred by 2 users
Status: Fixed
Owner:
natashenka@google.com
Last visit > 30 days ago
Closed: Jan 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security
M-X



Sign in to add a comment

Security: [FG-VD-16-075] Adobe Flash Player Handing MP4 Out-of-Bounds Read Vulnerability

Reported by kevinlu0...@gmail.com, Nov 8 2016 
VULNERABILITY DETAILS
It is a Out-of-Bounds read vulnerability in MP4 processing.

VERSION
Adobe Flash Player  23.0.0.207
Other versions may be affected too

REPRODUCTION CASE
put LoadMP42.swf and FG-VD-16-075_PoC.mp4 on a server and load http://127.0.0.1:8080/LoadMP42.swf?file=FG-VD-16-075_PoC.mp4
run the following command line.
flashplayer_23_sa_207.exe http://127.0.0.1:8080/LoadMP42.swf?file=FG-VD-16-075_PoC.mp4

Credits:
  This vulnerability was discovered by Kai Lu of Fortinet's FortiGuard Labs.
LoadMP42.swf
1.0 KB Download
FG-VD-16-075_PoC.mp4
153 KB View Download
crashlog.txt
2.2 KB View Download

Comment 1 by rickyz@chromium.org, Nov 9 2016

Components: Internals>Plugins>Flash
Labels: Security_Severity-Medium
Owner: natashenka@google.com
Status: Assigned (was: Unconfirmed)
Assigning flash bugs to natashenka@. Mind updating these with whether they affect Chrome stable? Thanks.
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 9 2016

Labels: Pri-1

Comment 3 by natashenka@google.com, Nov 9 2016 

Sorry, I'm having trouble getting this to crash. What browser and OS do these work on?

Comment 4 by kevinlu0...@gmail.com, Nov 9 2016 

I tested it with flash player standalone in windows 7,10.(enable page heap)
and also tested it in IE11 in Windows 7(enable page heap).

Comment 5 by kevinlu0...@gmail.com, Nov 10 2016 

still not test it in Chrome yet, I will test it right now.

Comment 6 by kevinlu0...@gmail.com, Nov 10 2016 

attached is the crash log in IE 11.
IECrashlog.txt
1.9 KB View Download

Comment 7 by natashenka@google.com, Nov 12 2016 

I'm still having trouble reproducing these, but I'm going to pass them to Adobe so they can investigate further. In the meantime, can you submit a sample that crashes in Chrome, as this is a Chrome rewards program?

Comment 8 by kevinlu0...@gmail.com, Nov 15 2016 

Ok,thanks. There are some crash samples for this case. I will try to find a sample that crashes in Chrome.

Comment 9 by kerrnel@chromium.org, Nov 18 2016 

Any update on triaging this? Thanks.

Comment 10 by natashenka@google.com, Nov 18 2016 

Sorry, there isn't. I've reported it to Adobe, I'll let you know when I hear back.

Comment 11 by mea...@chromium.org, Nov 21 2016

Status: ExternalDependency (was: Assigned)

Comment 12 by natashenka@google.com, Nov 30 2016 

Adobe has assigned this PSIRT-6012

Comment 13 by natashenka@google.com, Jan 10 2017

Status: Fixed (was: ExternalDependency)
This was fixed as CVE-2017-2926 this month, it is ready for Rewards Panel.

Comment 14 by wfh@chromium.org, Jan 10 2017

Labels: reward-topanel
Project Member

Comment 15 by sheriffbot@chromium.org, Jan 11 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 16 by awhalley@chromium.org, Feb 18 2017

Labels: -reward-topanel reward-unpaid reward-500

Comment 17 by awhalley@chromium.org, Feb 18 2017 

The panel decided to award $500 for this report.

Comment 18 by awhalley@chromium.org, Feb 18 2017

Labels: -reward-unpaid reward-inprocess

Comment 19 by awhalley@chromium.org, Feb 20 2017

Labels: Security_Impact-Stable

Comment 20 by awhalley@google.com, Mar 31 2017

Labels: M-X
Project Member

Comment 21 by sheriffbot@chromium.org, Apr 19 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment